Referenced CVEs:
CVE-2009-2940
Description:
===========================================================Ubuntu Security Notice USN-870-1 December 11, 2009pygresql vulnerabilityCVE-2009-2940===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.04 LTS: python-pygresql 1:3.8.1-2ubuntu0.1Ubuntu 8.10: python-pygresql 1:3.8.1-3ubuntu0.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safestring and bytea functions in its own escaping functions. As a result,applications written to use PyGreSQL's escaping functions are vulnerable toSQL injections when processing certain multi-byte character sequences.Because the safe functions require a database connection, to maintainbackwards compatibility, pg.escape_string() and pg.escape_bytea() are stillavailable, but applications will have to be adjusted to use the newpyobj.escape_string() and pyobj.escape_bytea() functions. For example, codecontaining: import pg connection = pg.connect(...) escaped = pg.escape_string(untrusted_input)should be adjusted to use: import pg connection = pg.connect(...) escaped = connection.escape_string(untrusted_input)
More...
